Atalho

News

ANPD publishes Technical Note on the processing of personal data by drugstores 

19/05/2023

In brief

On Friday (05/12), the Brazilian Data Protection Authority (ANPD) published Technical Note No. 4/2023/CGTP/ANPD with a diagnosis of the study it conducted to verify the conformity of the processing of personal data by drugstores with the Brazilian Data Protection Law (Law No. 13,709/2018 – LGPD).

In more detail

The study was motivated due to investigations by the Public Prosecutor Office  of the Federal District and Territories – MPDFT, due to the Conduct Adjustment Agreement entered into between the Public Prosecutor Office  of the State of Minas Gerais – MPMG and a drugstore chain, due to complaints from data subjects and due to a notification from a civil society organization of protection of consumer consumers’ rights regarding pharmaceutical retail market practices regarding the processing of personal data.

By conducting a random monitoring of the sector, between 2020 and 2021, ANPD assessed the state of maturity of the processing activities of personal data carried out by drugstores. In addition to the study, ANPD also promoted workshops, technical meetings and dialogues with associations representing the drugstore sector.

The Technical Note presents the criteria used by ANPD to conduct its assessment and to produce its preliminary findings on data processing by the sector. In general, ANPD identified, for example, low maturity of processing agents, lack of knowledge of LGPD concepts, lack of preparation on the subject of data protection, lack of full compliance with LGPD with regards to some data processing, data processing for purposes other than those informed to the data subjects, lack of transparency regarding the processing performed, excessive use of biometric data, need to improve measures of prevention, information security governance and risk assessment for the processing of personal data, among other issues.

ANPD showed concern about specific aspects that should be included in the drugstores data protection conformity projects and adopted an educational approach, pointing out what the next measures will be for guidance and monitoring of companies in the sector.

The Technical Note reveals some relevant aspects that were taken into account and measures adopted by ANPD for its assessment of compliance with LGPD. We highlight some of these aspects below:

  • conduction of investigation to understand the architecture of personal data processing activities and the categories of processed data, given the variety of models and multiplicity of processing agents;
     
  • inspection of the institutional websites of the studied drugstores to confirm whether they provided information regarding their privacy policies;
     
  • analysis of samples of privacy policies from the studied drugstores and from other pharmaceutical groups with greater territorial coverage and with significant  number of customers, aiming at verifying their adequacy to LGPD;
     
  • analysis of the legal basis used to justify the processing of personal data and of the inconsistencies it identified;
     
  • selection of some common practices in these drugstores to conduct deeper investigation of the processing activities they involved, such as discounts offers linked to the collection of personal data without clear information for data subjects; healthcare insurance plans (that offers benefit and discounts to its users); loyalty programs; benefit programs; communication and marketing; delivery services; and data sharing with third parties;
     
  • risk of defective consent for data processing in loyalty programs and discount offers;
     
  • verification of how drugstores process biometric data, the proportionality of these processing activities in light of the intended purposes, and how they inform data subjects of these processing activities, as well as consideration on the use of other tools for identity verification that may be less burdensome in relation to use of sensitive personal data, such as username and password – Note: Until now, ANPD has not published a regulation regarding the processing of biometric data. However, in its Regulatory Agenda for the 2023-2024 biennium (Ordinance No. 35/22), ANPD predicts that it will begin to regulate biometric data within one year and six months of its publication;
     
  • verification of the existence (or not) of prevention and security measures compatible with the data processing carried out.

As final considerations, ANPD remarks that, as a result of this study on the pharmaceutical retail sector:

  • it succeeded in consolidating the main points of concern in relation to sectoral adequacy projects;
     
  • it identified which points still need further investigation and clarification;
     
  • it verified the need for further research and investigation regarding loyalty programs, and the need for pursuing more information from processing agents external to the relationships among drugstore chains (companies that manage these programs), in order to seek more clarity about the functions of each processing agent in the processing of personal and sensitive data within the scope of loyalty programs, as well as on the forms of data sharing with and by the managers of these programs;
     
  • it understands that the knowledge generated (with this study) can be reverted on behalf of to the society through the preparation of educational material for the sector, indicating the concerns raised and appropriate measures of adequacy for the types of processing described therein;
     
  • it proposes a joint initiative with the National Consumer Secretariat – SENACON – to define regulation and compliance strategies for the sector regarding the conditioning of prices to the provision of consent in some processing of personal data by the sector;
     
  • it suggests verifying that possible sectorial guidelines may be prepared by the General Coordination for Standardization;
     
  • it submits the Technical Note for consideration and analysis by the General Inspection Coordination and for the adoption of any measures it deems appropriate, especially for the purposes of planning inspection activities, inventive of a culture of data protection, for  correction of irregular practices and repair any damages, among other actions.

The Technical Note has not regulatory nature, but demonstrates ANPD understandings on matters related to data protection and gives indications on how the Authority will interpret and make decisions on the topics addressed therein.

In addition, the Technical Note also may give an indication as to how the ANPD may conduct studies and investigations in other sectors for the purposes of regulation, inspection and application of penalties.

Share on Social Media
Trench Rossi Watanabe
São Paulo
Rua Arq. Olavo Redig de Campos, 105
31º andar - Edifício EZ Towers
Torre A | O4711-904
São Paulo - SP - Brasil
Rio de Janeiro
Rua Lauro Muller, 116 - Conj. 2802
Ed. Rio Sul Center | 22290-906
Rio de Janeiro - RJ - Brasil
Brasília
Saf/s Quadra 02 - Lote 04 - Sala 203
Ed. Comercial Via Esplanada | 70070-600
Brasília - Distrito Federal - Brasil
Porto alegre
Av. Soledade, 550
Cj. 403 e 404 | 90470-340
Porto Alegre - RS - Brasil
press
JeffreyGroup
trw@jeffreygroup.com

Terms of Use

Privacy Policy

Ethics Channel

Ícone do Instagram
Ícone do Podcast
Ícone do Facebook
Ícone do YouTube
Ícone do Linkedin